Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Amazon CloudFront Supports Configurable CORS and Custom HTTP Response Headers

Amazon CloudFront Supports Configurable CORS and Custom HTTP Response Headers

This item in japanese

Amazon CloudFront recently added support for response headers policies, removing the need of custom Lambda@Edge and CloudFront functions to insert response headers. The new feature allows developers to add cross-origin resource sharing (CORS), security, and custom headers to HTTP responses.

It is now possible to add key-value pairs to response headers, modify a web application's behavior or secure communications at the CDN layer, for example enforcing HTTPS connections. The following security headers are supported: HTTP Strict Transport Security (HSTS), X-XSS-Protection, X-Content-Type-Options, X-Frame-Options, Referrer-Policy and Content-Security-Policy.

While Lambda@Edge and CloudFront Functions allow request and response manipulations on CloudFront, response headers policies simplify the process to define CORS, security, and custom response headers. In a separate article, Kamil Bogacz, edge specialist solutions architect at AWS, explains how response headers policies fit into the CloudFront workflow:

You can define multiple combinations of the header sets and keep them as separate and reusable policies. These policies can then be associated with one or more behaviors to achieve the desired application functionality. Adding headers through response headers policies can work together with Lambda@Edge or CloudFront Functions if the response requires additional processing.


Coney Quinn, cloud economist at The Duckbill Group, tweets:

I've been asking for this for *years*. Including (I believe) the AWS CloudFront GM in an EBC at my first re:Invent. I owe someone an edible arrangement.

In 2017 Quinn wrote an article on the "static headache", what used to be the challenge of injecting security headers for static websites:

To insert a static header in CloudFront– a CDN service– you must use a freaking Javascript function to dynamically insert what you want into every godforsaken request. (...) As a final indignity, I now get to pay $0.91 per 1 million requests just to add a static header.

The lack of modifiable response headers was discussed many times on Reddit and Jibril Touzi, senior edge specialist solutions architect at AWS, wrote a popular workaround to add CORS Headers using Lambda@Edge. Laurynas Tumosa, SRE engineer, comments:

Now there are 3 services to add headers to CloudFront, and each of them is slightly different.

Scott Piper, security consultant, summarizes the benefits of HTTP header response manipulation:

No code, no cost, easier to configure and audit.

There are no additional costs for setting CloudFront response headers policies. The new feature is available using the CloudFront Console, the AWS SDKs, and the AWS CLI.

Rate this Article